Hi,
in the meantime I have internet access with DNS resolution from loc 10.0.0.0/24 and dmz 10.1.0.0/24.
However, I cannot access any client in loc from other clients in 192.168.178.0/24.
I have only access to loc and dmz from server.
What is needed to get access to loc from other clients in 192.168.178.0/24.
Between the router (Fritz!Box) and the server I have a managed switch: LCS-GS8208-A
Do I need to configure a VLAN?
Regards,
Thomas
Gesendet: Sonntag, 03. April 2016 um 17:27 Uhr
Von: "Tom Eastep" <teas...@shorewall.net>
An: shorewall-users@lists.sourceforge.net
Betreff: Re: [Shorewall-users] Configuration - appropriate configuration with 2 default gateways
Von: "Tom Eastep" <teas...@shorewall.net>
An: shorewall-users@lists.sourceforge.net
Betreff: Re: [Shorewall-users] Configuration - appropriate configuration with 2 default gateways
On 04/03/2016 01:58 AM, Thomas Schneider wrote:
> OK.
>
> In the guide " Configuration Files Tips and Hints" you advise against
> usage of DNS Names.
> I have resolved the DNS names and I understand this article to highlight
> the risk if the provider changes things on their hand.
> However, I don't know how to mitigate this risk with a restrictive
> rule-set in dmz that should only allow access to the update servers.
>
> I have now modified masq config file accordingly:
> root@pc4-svp:/etc/shorewall# cat masq
> #INTERFACE SOURCE ADDRESS
> UMB_IF 10.0.0.0/24 217.8.50.86
> UMB_IF 10.1.0.0/24 217.8.50.86
>
> However, I believe I should then correct interfaces config file and set
> proxyarp=0 for zone dmz.
> Would you recommend to set the same options for zone dmz as configured
> for zone loc (adjusting nets=10.1.0.0/24)?
> root@pc4-svp:/etc/shorewall# cat interfaces
> #ZONE INTERFACE BROADCAST OPTIONS
> net UMB_IF -
> optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$UMB_IF,upnp,nosmurfs,tcpflags,dhcp
> net UMP_IF -
> optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$UMP_IF,upnp,nosmurfs,tcpflags
> loc INT_IF -
> dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=10.0.0.0/24,routeback
> vpn TUN_IF+ - physical=tun+,ignore=1
> dmz DMZ_IF -
> routeback,proxyarp=1,required,wait=30
>
> After shorewall reset I have started apt update on a different client in
> loc (= 10.0.0.0/24) and dmz (= 10.1.0.0/24) and collected the attached dump.
>
The dump still shows no DNS rules loc->net and dmz->net
> By the way:
> When creating dump file, I get this output indicating an issue with file
> /proc/net/nf_conntrack:
> root@pc4-svp:/home/thomas# shorewall dump > shorewall_dump.txt
> grep: /proc/net/nf_conntrack: Datei oder Verzeichnis nicht gefunden
> This file does neither exist on my Debian 8 server nor on my Debian Sid
> notebook.
>
Install the conntrack package.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
> OK.
>
> In the guide " Configuration Files Tips and Hints" you advise against
> usage of DNS Names.
> I have resolved the DNS names and I understand this article to highlight
> the risk if the provider changes things on their hand.
> However, I don't know how to mitigate this risk with a restrictive
> rule-set in dmz that should only allow access to the update servers.
>
> I have now modified masq config file accordingly:
> root@pc4-svp:/etc/shorewall# cat masq
> #INTERFACE SOURCE ADDRESS
> UMB_IF 10.0.0.0/24 217.8.50.86
> UMB_IF 10.1.0.0/24 217.8.50.86
>
> However, I believe I should then correct interfaces config file and set
> proxyarp=0 for zone dmz.
> Would you recommend to set the same options for zone dmz as configured
> for zone loc (adjusting nets=10.1.0.0/24)?
> root@pc4-svp:/etc/shorewall# cat interfaces
> #ZONE INTERFACE BROADCAST OPTIONS
> net UMB_IF -
> optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$UMB_IF,upnp,nosmurfs,tcpflags,dhcp
> net UMP_IF -
> optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$UMP_IF,upnp,nosmurfs,tcpflags
> loc INT_IF -
> dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=10.0.0.0/24,routeback
> vpn TUN_IF+ - physical=tun+,ignore=1
> dmz DMZ_IF -
> routeback,proxyarp=1,required,wait=30
>
> After shorewall reset I have started apt update on a different client in
> loc (= 10.0.0.0/24) and dmz (= 10.1.0.0/24) and collected the attached dump.
>
The dump still shows no DNS rules loc->net and dmz->net
> By the way:
> When creating dump file, I get this output indicating an issue with file
> /proc/net/nf_conntrack:
> root@pc4-svp:/home/thomas# shorewall dump > shorewall_dump.txt
> grep: /proc/net/nf_conntrack: Datei oder Verzeichnis nicht gefunden
> This file does neither exist on my Debian 8 server nor on my Debian Sid
> notebook.
>
Install the conntrack package.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/ gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
